According to Gartner, CISOs face a “double-edged sword” as they are tasked with combating the growth of shadow IT while enabling secure access to approved cloud services. Cloud file sharing and collaboration services can be an area of risk as industries must remain vigilant about protecting their IP, ensuring regulatory compliance, and meeting data residency requirements. Today, we’ll take a look at cloud file sharing and collaboration for one industry in particular, Financial Services, which is subject to regulatory requirements including GLBA, PCI DSS, and state and national privacy laws.
What specific challenges do Financial Services firms face?
Whether you’re a bank, an insurance company, or an investment advisory firm, sending your confidential information up to a cloud file sharing services comes with a unique set of concerns:
- External collaboration governance, i.e. control over how sensitive files shared outside the company
- Compromised accounts and data theft from insiders
- Content and compliance, i.e. ensuring that sensitive files that are subject to compliance do not leak out of the organization
- BYOX and content proliferation, i.e. the rise of mobile and the growth in content being accessed from anywhere and from any device
Across all cloud service categories, file sharing accounts for 39% of all company data that’s uploaded to the cloud – and the average company uses 49 such services. Among file sharing users, 34% have uploaded sensitive information to one of these services, information that includes personally identifiable information (PII), payment card information, or other sensitive data that financial services firms own. What’s more, 21% of documents uploaded to file-sharing services contain sensitive or confidential data – not a trivial amount. Lastly, the sharing of information is occurring outside the company itself. Skyhigh found that 18% of external collaboration requests actually went to third-party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail). File sharing enables collaboration, which is a good thing, but when sharing is extended to un-verified personal accounts it can create risk for the organization.
How can firms safeguard themselves?
Fortunately, there are a host of cloud file-sharing providers who are dedicated to ensuring that your data is safely housed within them. Box, for example, provides security features to help you configure permissions and privileges, set custom security policies, and track activity that occurs in Box. They are one of the rare cloud file sharing and collaboration providers that do all three of the following: provide granular access controls, encrypt data at rest, and support multi-factor authentication.
Looking at the market as a whole, we see that only a fraction of cloud file sharing providers provide these key security features:
- Provide granular access controls – 53%
- Encrypt data at rest – 36%
- Use encryption strength 256-bit or higher – 22%
- Support multi-factor authentication – 16%
- Penetration testing performed by the cloud service provider – 36%
- Compliance certifications (such as ISO 27001, SOC2, etc) earned by the cloud service provider – 64%
When we compare all file-sharing services against those providers who specifically have an Enterprise offering, the differences are even more telling. The data shows that a higher percentage of providers with an Enterprise file sharing offer support for all of the security features mentioned above (for example, 46% support encryption at rest, vs. 36% for all cloud file sharing services). Improvements were found in other areas as well; for example, the percentage who supported anonymous use – which is seen as adding risk – dropped from 18% to 6%. From these data points, we can see that companies who sell to large enterprise have an interest in fulfilling the more stringent security and compliance requirements that those customers want.
In addition to the cloud providers themselves, end-users play a key role. We know that most employees who use cloud file sharing services are well-meaning users who simply need to be educated on what’s appropriate and what’s not. (My previous post outlines how just-in-time coaching can reduce your firm’s use of high-risk by 65%).
Gartner suggests that companies with stringent security and compliance requirements consider a Cloud Access Security Broker (CASB) to augment the native security capabilities of cloud file sharing and collaboration services. According to Gartner, a CASB should provide visibility, threat detection, compliance, and data security capabilities. If you’d like to learn more Gartner has published a set of recommendations for organizations interested in mitigating the risks of moving to file-sharing services while reaping the benefits. For more information, download the full Gartner report below.
CASB Magic Quadrant 2019 is here – McAfee a Leader for third consecutive year
CASB RFP Template: 200+ Common Questions Enterprises Are Asking
9 Cloud Computing Security Risks Every Company Faces
Office 365 Security Concerns: Download Definitive Guide to Office 365 eBook
51 AWS Security Best Practices